OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

client certificate renewal -> "client-provided SSL certs unexpectedly changed during mid-session reauth"

https://forums.openvpn.net/viewtopic.php?t=33565

Page 2 of 2

Re: client certificate renewal -> "client-provided SSL certs unexpectedly changed during mid-session reauth"

Posted: Fri Jan 21, 2022 12:00 pm
by tgsbn
Looks good!
I added the line

Code: Select all

explicit-exit-notify 1
to testwadiya's client.conf, and couldn't reproduce the problem with that configuration.
After another certificate renewal and reboot the tunnel came up fine:

Code: Select all

Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 TLS: Initial packet from [AF_INET]cli.ent.ip.addr:1194, sid=ae58e23f 212c3bed
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 VERIFY OK: depth=1, C=deleted
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 VERIFY OK: depth=0, C=deleted
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_VER=2.4.7
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_PLAT=linux
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_PROTO=2
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_NCP=2
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_LZ4=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_LZ4v2=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_LZO=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_COMP_STUB=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_COMP_STUBv2=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_TCPNL=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 [testwadiya.africa.a-net.de] Peer Connection Initiated with [AF_INET]cli.ent.ip.addr:1194
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 OPTIONS IMPORT: reading client specific options from: ccd/testwadiya.africa.a-net.de
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: Learn: 10.87.72.131 -> testwadiya.africa.a-net.de/cli.ent.ip.addr:1194
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: primary virtual IP for testwadiya.africa.a-net.de/cli.ent.ip.addr:1194: 10.87.72.131
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: internal route 10.72.131.0/24 -> testwadiya.africa.a-net.de/cli.ent.ip.addr:1194
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: Learn: 10.72.131.0/24 -> testwadiya.africa.a-net.de/cli.ent.ip.addr:1194
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 PUSH: Received control message: 'PUSH_REQUEST'
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 SENT CONTROL [testwadiya.africa.a-net.de]: 'PUSH_REPLY,route 10.103.0.0 255.255.0.0,route 10.102.0.0 255.255.0.0,<deleted>,push-continuation 2' (status=1)
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 SENT CONTROL [testwadiya.africa.a-net.de]: 'PUSH_REPLY,<deleted>,topology p2p,ping 60,ping-restart 240,ifconfig 10.87.72.131 10.87.0.1,peer-id 5,cipher AES-256-GCM,push-continuation 1' (status=1)
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
I don't see any downside to that setting, so I'll stage it for rollout to the production clients and watch whether it fixes the problem reliably.

Thanks so far!

Re: client certificate renewal -> "client-provided SSL certs unexpectedly changed during mid-session reauth"

Posted: Mon Jan 31, 2022 8:15 pm
by tgsbn
Confirmed. The setting reliably avoids the problem, with no ill side effects.
Thanks again!
All times are UTC
Page 2 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/